php - Should uploaded files be renamed? -


i've been reading on php file upload security , few articles have recommended renaming files. example, owasp article unrestricted file upload says:

it recommended use algorithm determine filenames. instance, filename can md5 hash of name of file plus date of day.

if user uploads file named cake recipe.doc there reason rename 45706365b7d5b1f35?

if answer yes, whatever reason, how keep track of original file name , extension?

to primary question, practice rename files, answer definite yes, if creating form of file repository users upload files (and filenames) of choosing, several reason:

  1. security - if have poorly written application allows download of files name or through direct access (it's horrid, happens), it's harder user, whether maliciously or on purpose, "guess" names of files.
  2. uniqueness -- likelihood of 2 different people uploading file of same name high (ie. avatar.gif, readme.txt, video.avi, etc). use of unique identifier decreases likelihood 2 files of same name.
  3. versioning -- easier keep multiple "versions" of document using unique names. avoids need additional code parse filename make changes. simple example document.pdf document(1).pdf, becomes more complicated when don't underestimate users abilities create horrible names things.
  4. length -- working known filename lengths better working unknown filename lengths. can know (my filepath) + (x letters) length, (my filepath) + (random user filename) unknown.
  5. os -- length above can create problems when attempting write extremely random/long filenames drive. have account special characters, lengths , concerns trimmed filenames (user may not receive working file because extension has been trimmed).
  6. execution -- it's easy os execute file named .exe, or .php, or (insert other extension). it's hard when there isn't extension.
  7. url encoding -- ensuring name url safe. cake recipe.doc not url safe name, , can on systems (either server or browser side) / situations, cause inconsistencies when name should urlencoded value.

as storing information, typically in database, no different need have already, since need way refer file (who uploaded, name is, occassionally stored, time of upload, size). you're adding actual stored name of file in addition user's name file.

the owasp recommendation isn't bad 1 -- using filename , timestamp (not date) unique. take step further include microtime timestamp, , other unique bit of information, duplicate upload of small file couldn't occur in same timeframe -- store date of upload additional insurance against md5 clashes, has higher probability in systems store many files , years. incredibly unlikely generate 2 md5s, using filename , microtime, on same day. example be:

$filename = date('ymd') . '_' . md5($uploaded_filename . microtime());

my 2 cents.


Comments

Post a Comment

Popular posts from this blog

php - get table cell data from and place a copy in another table -

two-part question: have 2 tables: 1 table items , other table selected items copied when add button clicked. after, when items wanted selected, there 'finished' button post items selected db. i started javascript didn't far @ because jquery seems better suited i'm not familiar it function addto() { var div = document.getelementbyid('fixeddiv','inside'); div.innerhtml = div.innerhtml + 'item added'; } <div id='fixeddiv'> <table align="center" id="tradee"> <th rowspan="2"> other item</th> <?php while($rowi =$item->fetch_assoc()) {?> <tr> <td> <?php echo $rowi['item_name']; ?> </td> <td><?php echo $rowi['item_description'];?></td> </tr> <?php } ?> </table> <br> <table align="center" id="tradetable"
Read more

javascript - Mootools wait with Fx.Morph start -

i trying var effect = new fx.morph(testmorph, { wait/delay 2 seconds before starting. ( fiddle here ) but when try .wait(2000) or .delay(2000) , or .wait(2000, effect) uncaught typeerror: object [object object] has no method 'delay' any ideas how working? code i'm using: var testmorph = document.id('testmorph'); var effect = new fx.morph(testmorph, { transition: 'back:out', duration: 900, link: 'chain' }).start({ 'top': 20, 'opacity': 1 }).start({ 'border-color': '#a80025', 'color': '#a80025' }); effect.delay(2000); you can use combination of chain() , delay() achieve desired effect. new fx.morph(testmorph, { transition: 'back:out', duration: 900, link: 'chain' }).start().chain(function(){ this.start.delay(2000,effect,{ //first }); }).chain(function(){ this.start({ //second }); }); the
Read more

php - Navigate throught databse rows -

i run image hosting site, , ive run problem. want make 2 buttons beside pic "next image" , "prev image". im new php/mysql , haveing troubles. check out got. use id (numbers) find correct row, have image name build next link. how make below query next , prev image names + ids? $query_next = ("select imageid, image_name images image_name = '$image_main' order imageid desc limit 1"); $query_prev = ("select imageid, image_name images image_name = '$image_main' order imageid asc limit 1"); // next $next = mysql_query($query_next); // prev $prev = mysql_query($query_prev); while ($row = mysql_fetch_assoc($next)) { $next = $row['image_name']; } while ($row = mysql_fetch_assoc($prev)) { $prev = $row['image_name']; } the html = > simple stuff. <a href="http://mysite.com/view_image/<?=$next?>">next image</a> <a href="http://mysite.com/view_image/<?=$pr
Read more